Commands run on an endpoint do not appear in the SIEM for 20 minutes or more
Environment
CB Response Server: 6.2 and Higher
Cause
The watchlist_search job is taking over 10 minutes to iterate through reports. This causes the next watchlist search to be delayed by at least 10 minutes.
Resolution
This behavior is expected if too many watchlists are enabled or are inefficient.
Audit current threat reports and watchlists and disable any that are not necessary to reduce search time
Improve any watchlists timing out regularly
Additional Information
There will always be a slight delay in events occurring on an endpoint and being ingested onto the server
/var/log/cb/job-runner/job-runner.log will show when a watchlist completes and what watchlists may have failed to complete
finished watchlist_search will show the run time of the watchlist_search. If the search finishes in under a second, there is still a job running
<err> [watchlist_search] will show any errors related to the watchlist_search job and potentially failing watchlists